Have you noticed how popular sites like Facebook and Google are now giving you the ability to add two-factor authentication to improve security? Well now you can add two-factor authentication to your WordPress site. This ensures maximum security for your WordPress site. In this article, we will show you how to add two-factor authentication for WordPress using both Google Authenticator as well as SMS text message.
Why Add Two-Factor Authentication for WordPress Login?
One of the most common tricks hackers use is called brute force attacks. By using automated scripts, hackers try to guess username and password to break into a WordPress site.
If they steal your password or accurately guess it, then they can infect your website with malware.
One of the easiest ways to protect your WordPress website against stolen password is to add two-factor authentication. This way even if someone stole your password, they will need to enter a security code from your phone to gain access.
There are two ways to setup two-factor authentication in WordPress:
- SMS Verification – where you receive the verification code via text message.
- Google Authenticator App – Fallback option where you receive the verification code in an app.
Let’s take a look at how to easily add two-factor verification to your WordPress login screen for free.
1. Adding 2-Step SMS Verification to WordPress Login Screen
This method adds a 2-Step SMS verification to your WordPress login screen. After entering the WordPress username and password, you will receive a text message via SMS on your phone with a code.
First you will need to install the Two Factor and Two Factor SMS plugins. For more details, see our step by step guide on how to install a WordPress plugin.
The first plugin which is called Two Factor provides multiple ways to set up 2-step verification in WordPress. The second plugin, which is called Two Factor SMS is an addon for the first plugin. It adds support for 2-Step SMS verification. You will need both these plugins installed and activated.
Upon activation, you need to head over to Users » Your Profile page and scroll down to Two Factor Options section.
Check the box next to ‘SMS (Twilio)’ option and also click the radio button to make it your primary verification method.
After that scroll down to the Twilio section.
You will be asked to provide your Twilio account information.
Twilio is an online service that offers phone, voice messaging, and SMS services to use with your own applications. They also have a limited free plan which would be sufficient for our purpose here.
Head over to Twilio website and create your free account.
On the signup page, you will be asked for the usual personal information. After that you will be asked which products you would like to use first.
You need to select SMS and then select 2-factor authentication for ‘What you are building’ option. Finally select PHP for your programming language.
Once you have signed up for an account, you will reach your Twilio dashboard where you need to click on the get started button.
This will take you to a settings wizard where you need to click on the ‘Get your first Twilio number’ button.
It will bring up a popup showing a US based phone number. Copy and save this number in a text file and then click on the ‘Choose this number’ button.
You can now exit the wizard and head over to Settings » Geo Permissions page.
Here you need to select the countries where you will be sending SMS. Since you are using the service to receive SMS for yourself, you can select the country you live in and countries you travel to.
Next, you need to visit the Twilio console dashboard to copy your Account SID and Auth Token.
Now you have all the information that you need.
Go to the user profile page on your WordPress site and enter your Twilio Account SID, Auth token, and sender phone number.
Add your own phone number as the ‘Receiver Phone Number’.
Don’t forget to click on the ‘Update Profile’ button to save your settings.
You can now logout from your WordPress site to see the plugin in action.
On login screen, first you will provide your WordPress username and password. After that, you will receive a SMS notification on your phone, and you will be asked to enter the code you received.
After entering the SMS code, you will be able to access your WordPress admin area.
Note: This method works great, but what if you are traveling and unable to receive text messages on your phone number?
Let’s solve this problem by adding a fallback option too.
2. Adding 2-Factor Verification to WordPress with Google Authenticator
As a fallback option, we will setup 2-Factor verification using Google Authenticator.
SMS verification will still be your primary verification method. In case you don’t get the SMS, you’ll still be able to login using the Google Authenticator app on your phone.
Head over to Users » Your Profile page and scroll down to two factor options section.
Click the Enabled checkbox next to ‘Time Based One-Time Password (Google Authenticator)’ and then click on ‘view options’ link to begin Google Authenticator setup.
You will now see a QR code which you will need to scan with the Google Authenticator app.
Go ahead and install Google Authenticator app on your phone.
Once you have installed the app, open it and click on the add button.
Now you need to scan the QR code shown on the plugin’s settings page using your phone’s camera.
The app will detect and add your website. It will also show you a six digit code. Enter the code in the plugin’s settings page, and you are done.
Don’t forget to click on the ‘Update Profile’ button to save your changes.
You can now logout of your WordPress site to see it in action.
First you will have to enter your WordPress username and password. After which you will be asked to enter SMS verification code.
If you didn’t get the SMS code, then you can click on ‘Use backup method’ link and enter the code generated by Google Authenticator app on your phone.
Troubleshooting
If you lose access to your phone, then you may be unable to login. See our guide on what to do when you are locked out of WordPress admin area to recover access to the admin area.
We hope this article helped you add 2-factor SMS verification for WordPress login. You may also want to see our step by step WordPress security guide for beginners.
If you liked this article, then please subscribe to our YouTube Channel for WordPress video tutorials. You can also find us on Twitter and Facebook.
How to remove two factor authentication that I get every time I login. I want to simply get rid of this thing.
Thanks in advance!
It would depend on which method you used to set it up, if you used the plugin then you would remove the plugin to remove the two factor authentication. Should you be unable to remove it, if you reach out to your hosting provider they should be able to assist.
Hey please update this post. This plugin is too old and not tested on three major updates of WordPress.
Thank you for letting us know about the plugin not being updated we’ll be sure to take a look at it. The Two Factor SMS plugin is the only one not updated, the first plugin has been updated
Found this to be really helpful related to Two Factor, but FYI – the Two Factor SMS plugin hasn’t been updated in several WP versions.
Thank you for letting us know, we’ll be sure to take a look into this for other plugin options
You can simply do it via wordpress.com.
I’ve followed your exact instructions just now to set up 2FA with Twilio. I logged out after finishing the set-up as per the article, and now I can’t get back into my site! I get the code from Twilio, but it says there’s an error! Unfortunately, I’d not yet set up the 2FA with the authenticator app, as I followed the steps in the article, which was to log out first to see it working. Can you advise please? I’ve checked your article https://www.wpbeginner.com/wp-tutorials/locked-out-of-wordpress-admin/, but this doesn’t seem to cover getting locked out due to 2FA error. I use your site loads, and think your guidance is great! Please help on this one!!
Hi Anna,
You can manually delete the plugin using FTP. Connect to your website and go to /wp-content/plugins/ folder and then delete two-factor and two-factor-sms folders. You can always reinstall the plugins after login.
FreeOTP is an Open Source alternative to Google Authenticator. It is not controlled by Google and is maintained by Red Hat under the Apache 2.0 license. It is available for iOS and Android. It also works on Google sites.